Abstract: Described are automated systems and methods for providing a template design for a public-key infrastructure (PKI) system. For example, certain infrastructure information and stored PKI information can be processed to determine a PKI template, which can specify the configuration for a proposed PKI hierarchy. A configurable representation of the proposed PKI hierarchy can be generated and presented to the user, which can facilitate review, modification, and further customization of the proposed PKI hierarchy. Aspects of the present disclosure can also determine costs associated with the proposed PKI hierarchy, and can create and deploy the proposed PKI hierarchy.

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by public and/or private certificate authorities. In an embodiment, customers may use the certificate management service to generate private certificate authority which can issue signed certificates to network entities within the customer enterprise. In an embodiment, the private certificate authority is hosted by the computing resource service provider, and the certificate management service automates the renewal and management of active certificates. In an embodiment, the certificate management service allows customer applications to create, renew, and revoke certificates issued by both private and public certificate authorities via an application programming interface.

Abstract: Techniques for HyperText Transfer Protocol (HTTP) POST method request translation are described. A router of a Content Distribution Network (CDN) receives an HTTP POST method request seeking to obtain a resource and sends the request to a request translation engine. The request translation engine, based on the request, generates a corresponding HTTP GET method request and sends it back to the router, which obtains a response object from an origin server or from one or more levels of cache implemented by the CDN. The response object is passed back via a response message to the router, which sends the response message back to the request translation engine. The request translation engine, in turn, sends the response message back to the router, which sends the response message back to the originating client.

Abstract: A computer system detects that a digital certificate is set to expire within a threshold amount of time. In response to detecting that the digital certificate is set to expire, the computer system generates an update to cause a second computer system to perform operations to indicate an upcoming expiration of the digital certificate. The computer system provides the update to the second computer system to cause the second computer system to perform the operations.

Abstract: A computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by public and/or private certificate authorities. In an embodiment, when a new certificate is generated, a certificate template is used to apply various settings and policies for the new certificate. In various examples, templates may be used to establish default values, enforce required and optional values, place restrictions on one or more data fields, and enforce signature requirements. In some embodiments, the template establishes rules for rejecting certificate requests that don't conform to the template.

Abstract: Systems and method for generating and managing certificate authorities. For instance, a certificate service may provide one or more user interfaces for creating certificate authorities, such as a root certificate authority, a subordinate certificate authority, and/or an intermediate certificate authority. For example, a user may use a user device to create a certificate hierarchy. The certificate service may also provide one or more user interfaces for issuing certificates using the certificate authorities. One or more computing resources may then use the end-entity certificates issued from the certificate authority hierarchy for authentication and/or encryption. For security purposes, the certificate authority may also allow the user to set policies representing users that are able to access and/or utilize the certificate authorities to perform actions, such as issuing certificates.

Abstract: In some implementations, tokens that are representative of sensitive data may be used in place of the sensitive data to maintain the security of the sensitive data. For example, data may be separated into sensitive data and nonsensitive data, and at least the sensitive data is securely delivered to a data storage service. The data storage service generates a token that is representative of the sensitive data and stores the sensitive data as secure data. The data storage service may deliver the token to an entity that also receives the nonsensitive data, and the entity may use the token in place of the sensitive data. In some implementations, different tokens are generated each time the same piece of sensitive data is submitted for storage as secure data. Further, in some implementations, An expiration time may be assigned to sensitive data, and expired data and associated tokens may be deleted.

Abstract: In an embodiment, a computing resource service provider provides a certificate management service that allows customers of the computing resource service provider to create, distribute, manage, and revoke digital certificates issued by private certificate authorities. In an embodiment, a private certificate authority hosted by the computing resource service provider is able to issue signed certificates to network entities within the customer enterprise. In an embodiment, the certificate management service provides a network-accessible application programming interface to the private certificate authority that allows applications to create and deploy private certificates programmatically. In an embodiment, the system provides the flexibility to create private certificates for applications that require custom certificate lifetimes or resource names.

Abstract: A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

Abstract: A computer system associated with a certificate authority receives a request to obtain information that can be used to determine a validity status of a digital certificate. In response to the request, the computer system provides the information and updates usage information for the digital certificate to incorporate information obtained from the request. The usage information may be generated based at least in part on previous requests to obtain the information. Based at least in part on the usage information, the computer system will perform at least one operation associated with the digital certificate.

Abstract: A computer system detects that a digital certificate is set to expire within a threshold amount of time. In response to detecting that the digital certificate is set to expire, the computer system generates an update to cause a second computer system to perform operations to indicate an upcoming expiration of the digital certificate. The computer system provides the update to the second computer system to cause the second computer system to perform the operations.

Abstract: A certificate authority receives a request to issue a digital certificate from a customer. In response to the request, the certificate authority determines a network endpoint to be specific to the digital certificate that is to serve information usable to determine whether the digital certificate is valid. The certificate authority issues, to the customer, a digital certificate that specifies a network address for the network endpoint and records information about requests made to the network endpoint to obtain the information usable to determine whether the digital certificate is valid.

Abstract: In a distributed system, a computer system responsible, at least in part, for complying with a cryptographic key usage limit for a cryptographic key, obtains results of cryptographic operations generated based at least in part on the cryptographic key and transmits the obtained results over a network. The computer system digitally signs the results and provides the results with digital signatures of the results. Another device intercepts the results and allows the results to proceed to their destination contingent on successful validation of the digital signature.

Abstract: A computer system detects that a digital certificate is set to expire within a threshold amount of time. In response to detecting that the digital certificate is set to expire, the computer system generates an update to cause a second computer system to perform operations to indicate an upcoming expiration of the digital certificate. The computer system provides the update to the second computer system to cause the second computer system to perform the operations.

Abstract: A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

Abstract: A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

Abstract: A resource owner or administrator submits a request to a permissions management service to create a permissions grant which may include a listing of actions a user may perform on a resource. Accordingly, the permissions management service may create the permissions grant and use a private cryptographic key to digitally sign the created permissions grant. The permissions management service may transmit this digitally signed permissions grant, as well as a digital certificate comprising a public cryptographic key for validating the permissions grant, to a target resource. The target resource may use the public cryptographic key to validate the digital signature of the permissions grant and determine whether a user is authorized to perform one or more actions based at least in part on a request from the user to perform these one or more actions on the resource.

Abstract: In some implementations, tokens that are representative of sensitive data may be used in place of the sensitive data to maintain the security of the sensitive data. For example, data may be separated into sensitive data and nonsensitive data, and at least the sensitive data is securely delivered to a data storage service. The data storage service generates a token that is representative of the sensitive data and stores the sensitive data as secure data. The data storage service may deliver the token to an entity that also receives the nonsensitive data, and the entity may use the token in place of the sensitive data. In some implementations, different tokens are generated each time the same piece of sensitive data is submitted for storage as secure data. Further, in some implementations, An expiration time may be assigned to sensitive data, and expired data and associated tokens may be deleted.

Abstract: A security service enables service providers to register available services. Prospective service consumers may register with the security service to access a particular registered service, and may specify conditions for access that are subject to approval by the corresponding service provider. Based on the registrations of the service provider and the service consumer, the security service can define access policies that may be enforced to control the conditions under which a service consumer accesses or utilizes the particular service. Additionally, changes to the access policies may be propagated to running services in near real time. Some implementations enable masking of information provided to particular service consumers based on determined needs of each service consumer for access to particular information. In some instances, the service providers may provide log information to the security service, which may be monitored to identify anomalies, security breaches or the like.

Abstract: A computer system associated with a certificate authority receives a request to obtain information that can be used to determine a validity status of a digital certificate. In response to the request, the computer system provides the information and updates usage information for the digital certificate to incorporate information obtained from the request. The usage information may be generated based at least in part on previous requests to obtain the information. Based at least in part on the usage information, the computer system will perform at least one operation associated with the digital certificate.